maandag 8 oktober 2012

Confirmation e-mail shows password vulnerability

This week it happened again: I received an e-mail with a confirmation of creating an account for a webshop. Yes, it is very comforting to know that you have an account. But apart from the fact that I created yet another account somewhere in the cloud, I noticed that the email showed my account credentials in full text. Reading my accountname was not that special, but seeing the password I entered on the site was less reassuring.
If the mailserver sends an email with a readable password it means that my password is accessible for the mailserver in a readable format. And that means that the password is unencrypted somewhere between the website and the mailserver. In most cases a content management system (with a user database) or a webshop system (with some kind of CRM database) are familiair with my account. And both these systems use the emailserver to inform me about all transactions. Including account creation. The same can happen if you click a link to the forgotten password function. Some systems resend you the password for your account. So they must be able to read the password from your account in the database.
For me this implies that the CMS and/or CRM system do not store the password in encrypted form, otherwise how can the mailserver get the content for the email? I don't suppose these systems use a brute-force attack to discover your password...

In this case I informed the webshop owner that I suspect that there is a vulnerability in the user management function. 

Best practices:
  • Use third party identities (Oauth, OpenID etc.) to create customer accounts, that way you don't store passwords;
  • Use a hashing function for passwords in the database (and please pick a secure algorithm);
  • If your CMS or CRM doesn't support encryption of passwords, change to a secure system.
And never ever send an email with the password in readable form. Better send an email with a link to the password reset function.

If you encounter sites that email your password (either at create time or at password reset), please inform the webmaster of this vulnerability.